Defense Forum Foundation
Congressional Defense and Foreign Policy Forum
“Cyberwarfare: Defense in an Offensive World”
Defense Forum Foundation
Blue Ridge Networks
Location: B-339 Rayburn House Office Building, Washington, D.C.
Time: 12:00 p.m. EDT
Date: Friday, June 21, 2013
Federal News Service
SUZANNE SCHOLTE: Good afternoon. If I could have everybody’s attention. I’m Suzanne Scholte, president of the Defense Forum Foundation, and it’s my pleasure to welcome you to our Congressional Defense and Foreign Policy Forum.
For those of you who are attending our forum for the first time, we’ve been doing these programs since the 1980s. It’s a nonpartisan session, opportunity for congressional staff to hear from expert speakers in the areas of defense, foreign affairs and human rights.
Before I introduce our speaker today, I want to recognize some special guests we have with us from the diplomatic community. First of all, Mrs. Hafida Djaoud from the Embassy of Algeria. Good to have you with us. We also have Ambassador Mohammed Beissat and Malainin Slama of the Sahrawi Republic. Ambassador. And Johannes Rigeur from the Embassy of Austria. Right there. And, of course, from the Defense Forum Foundation, our vice chairman, Ty McCoy, seated here. And Jeb Carney from the board of directors.
Well, thank you for joining us today, especially on a beautiful Friday afternoon. You noticed I just closed the curtain so I wouldn’t distract you. (Chuckles.) Early this year, Congressmen Dana Rohrabacher and William Keating co-chaired a subcommittee hearing entitled “Cyberattacks: An Unprecedented Threat to U.S. National Security.” Some have described cyber warfare as the greatest threat the United States faces, and it impacts national security, economic security and our entire way of life.
Our foundation, Defense Forum Foundation, has been sponsoring a series on this particular issue. For example, we hosted recently former CIA director Jim Woolsey, who talked about this issue in the area of how it affects energy security. Today, we have a very special speaker who has a long career in protecting both government and industry from cyberattacks.
John Higginbotham is the chairman and CEO of Blue Ridge Networks, an emerging leader in cybersecurity. He has over 30 years of experience in high-tech executive leadership. He began his career at Hewlett-Packard as a product manager for their entry into the microcomputer marketplace.
John was formerly chairman, now director-emeritus, of the Space Foundation, the premiere non-profit organization supporting space activities, space professionals and education. He’s a graduate of Virginia Tech with a BS with honors in civil engineering, and he received the university’s 2009 Distinguished Service Award. He obtained his MBA from Harvard Business School.
It’s a great honor to have him as someone who’s been in this field for so long to join our forum to address the extensive vulnerabilities that remain in cybersecurity in this ever-escalating time of attacks in this area. Thank you very much, John. (Applause.)
JOHN HIGGINBOTHAM: Thank you, Suzanne. And Happy Friday. Vice Chairman McCoy, other directors, honored guests, distinguished guests, it’s a great honor to speak with you. Thank you for the opportunity to come discuss obviously a very important topic. We were just chatting at the lunch table that some of us are the last generation of analogue, and fortunately, we have some digital natives here. We’re counting on you to address this problem because we’re catching up from my generation. You know, we were just commenting that it’s hard to describe how different the world was before we had cell phones and PDAs and the Internet – all previous generations in human history did not have this communication, so it really is a different world. Our entire world has changed.
I wanted to focus on three things today: the impact of the problem; the nature of the challenge to address it; and some perspectives to consider how you might approach making progress in addressing these challenges.
It’s an offensive world. Malware is escalating. We’ve read all the newspaper reports. Advanced persistent threats are on the rise. When you talk to your intelligence community friends out there, you’re going to hear words like advanced persistent threats, advanced targeted attacks, host-based exploits – those are things like phishing attacks and drive-by downloads and stealing your passwords - that we give all these big names, but it’s all the stuff you read about in the newspapers.
Targets are expanding. Tor a long time it was basically go after a government website somewhere and see if you could get in. Now, it’s banks, universities, retail enterprises, essentially anybody that’s online, that is absolutely exposed.
And the bad actors are escalating. More nation-states are getting involved. It used to be China versus U.S. But, read the newspaper – it’s escalating. If you’ve got a computer and a handful of smart people, you can go into the cyber espionage business. It’s escalating as a nation-state issue across the board. Not to mention the criminals, pranksters, and hacksters. It’s just become out of control.
I think this comment Suzanne made about how it effects the cornerstones of our society, I truly believe. We have tracked the numbers from various studies done on the impact of cybertheft and cyberpiracy. It’s hard to measure, but there are a number of good figures of merit, and I would put it this way. We’re in the 40th year of a negative balance of trade in the United States of America when you roll the clock back back to ’71, actually I think ’73, when we had a small positive trade balance.
So let’s think about that. We’ve had 40 years of negative trade. This issue is one of my pet peeves in that the discourse that we listen to every night on the television is always about the domestic budget when, in fact, the means of revenue for the country is our balance of trade.
So now you are the information society. We live in an information society. We have morphed from an industrial world into an information world. So what are the means of production in the information world? It’s the ideas, inventions, development, designs, media that we now invent and can put out in a global digital world.
My son is a movie producer. He worked on “Iron Man 3.” You know, I suspect they had it on the streets of Hong Kong before it got distributed here in the United States. Let’s think about that: you’ve got a situation here where the fundamental means of the way we create wealth is digital. If you go look at some of the studies as to the value of that economic wealth that has been ripped off, stolen, pirated over the last 10, 15, 20 years, I come up with a number of potentially $6 to $7 trillion of lost national income from the loss of intellectual property.
So let’s do that calculus on the internal deficit. Imagine if you could walk into all your constituents and say, hey, we just found you $6 trillion. I think we could solve some problems. And that’s just what we can measure. So you’ve got big numbers here, and they’re growing very rapidly.
So how are we doing on this? We know we need to protect these networks, we know we’re getting hammered, we know we’re losing money - what are we doing about it? Gartner estimates that the typical enterprise in this country with several thousand users is spending $600 a year trying to protect their users. The Poneman Institute came out with a study late last year that suggests even with that level of spending, the typical enterprise faces an 85 percent probability or greater of a successful attack.
So let’s think about that. We’re spending in the tens of billions of dollars – public and private – with the smartest minds on the planet trying to address this topic. How can this possibly be the case? I mean, we invented the Internet, we invented the concept of the modern open network cloud, we developed the core of the IT industry. We invented all this stuff, so how could it possibly be, with all this effort and money and brainpower that we have that level of a problem?
This is where we need to break into a little bit of technical discussion. You’ve got a situation here where the evolution of the networks that we use basically came out of the advent of TCP/IP. You probably heard that; that’s the Internet. Let’s think about what that was for. The fundamental objective was to have open networks.
The whole idea of TCP/IP is anyone could talk to anyone else for anything all the time every time globally. Mission accomplished. Triple gold star. Absolutely worked, created the social media you enjoy, downloads of movies off television: net-centric warfare; globalized the American industry; globalized the world’s industries; created the automated supply chain. You just start going down the list as to the value of an open network architecture that this has created. The information revolution was created by this. So you’ve got to give this a triple gold star.
How does the IT industry, which I would submit is basically mature now as we’ve been deploying open networks for 15 to 20 years, address cybersecurity? If you want to go get communications, the reality is there are three, maybe four communications companies that most people are going to go to. If you want to go get a server, maybe a half-a-dozen on that list. If you want to go get a router, there’re two or three. If you want to run applications over the networks, there’re five or six. You know who they are.
So we have a fairly predictable structure deployed by fairly predictable means by fairly predictable vendors. So we can look at this and realize you’ve got kind of a static model of what a network looks like.
So how do they handle trying to create roots of trust, because you’re fundamentally trying to create some kind of trust in terms of your communications? How you handle your data with all this kind of stuff? What do they normally do? They’ll build authentication methods, certifications, passwords, PINs, cryptography, hypervisors. All these technical terms are basically describing ways to bring some type of root of trust into the equation that says when I call you, it’s really you and it’s really me. And we’ll exchange the certificate, we’ll pass the password, and our systems will have some kind of crypto on it to protect you. Sounds great on paper.
But think of this model where we have known networks built up by known vendors, and each vendor is focused on their component, OK? You go to the server manufacturer, and they’re building in the best roots of trust possible for servers. You go to a router manufacturer and they’re building the best roots of trust possible for routers. You go to the applications provider and they’re building the best digital rights management systems you can possibly think of.
When I hit “send” to you, it’s using all that. And if you think about it, by taking a multi-vendor, multi-generational approach to building these networks, you’ve got layer on top of layer and they don’t talk to each other. You know, the hardware roots of trust that I build into my processors aren’t often compatible with the digital rights management in the application that’s running over it and doesn’t fit with the Internet protection protocols that might be present such as some type of SSL-VPN or IP/Sec Internet.
So you’ve got gaps, cracks, snaps, chinks, breaks in the IT data stack. That’s what a bad guy’s good at – finding them. And IT architecture is built that way and it will stay built that way. That’s the IT architecture we are trying to protect.
Finally, your fundamental objective in cybersecurity is trying to get cross-layer roots of trust for data in motion because data at rest is useless. You’ve got to do something with it. I’ve got to send it to you, I’ve got to process it, I’ve got to do something. That’s what we do with our networks. And as soon as we start doing that, we’re using the entire infrastructure which is relying on all of these pieces, and they don’t talk to each other.
So you’ve got fundamentally an objective of trying to create trustable operations on an untrustable network. Very important words. Thus, cybersecurity architecture is the exact opposite of the IT architecture. Let’s think about what we mean by security.
That means “to defend”, OK? I actually went to Webster’s and looked up what we really mean by “defend”. It’s the act of “preventing”. It’s “forbidding”. It’s the exact opposite of an open mentality so that I’m denying you access, I’m not allowing you in the network, I’m not allowing you to look at data. So I would submit to you the concept of cybersecurity is in fundamental design conflict with the modern IT architectures that we have deployed. And that’s the problem. We keep trying to approach the concept of cybersecurity from an IT architecture mentality, and they’re fundamentally in conflict.
So let’s look at how we deal with that. If you think in terms of defense or prevention as isolating something from the rest of the world, that gives you a way to start to get control of it. And then once you isolate it, you contain it so that it can’t be modified once you’ve isolated it. Gartner actually just created a new category called “Containment” because the light bulb’s starting to go on as to how we can create secure, closed networks inside of a wide open public untrustable cloud. And in conceptualizing how we can deal with defense in this offensive world, you start to get your head around how to forget about “fixing” the network. How do I protect the information, the data, the efficacy of what I’m trying to do, knowing full well it’s going to go over an unprotectable architecture?
That’s where you start to get into these concepts of isolation and containment for defense. The fundamental objective of this approach in cybersecurity is to prevent loss. As Suzanne shared, I used to run a space insurance company before I started my investment group. So we dealt with loss a little bit – (chuckles) – more than we wanted to. Imagine going to some people and saying, “I want to insure a satellite and launch vehicle”. And they say, “you want to do what? You know, these things go boom in the night and end up in the Indian Ocean most of the time.” But we did it, and we did it very successfully and we were able to build a whole industry that was quite interesting.
I think, perhaps, some of the lessons we learned in trying to deal with satellite communications are probably applicable to cybersecurity. You’re fundamentally trying to prevent loss, and in a manner that allows you to make a conscious decision of what risks you will withstand. Answers to what you will accept as risk versus what risks you will not accept. Then you’re going to spend money or do effort or do something to mitigate them or finance them, if you can’t make them go away.
So that takes us into the discussion of the economics of cybersecurity – the microeconomics. We discussed earlier the macroeconomic impact. At a microeconomic level, what’s the impediment? I mean, this is so obvious. What’s the impediment to everybody rushing out and deploying immediately any cybersecurity they can get their hands on?
We don’t understand the direct loss. You can’t make an economic decision until you understand and can quantify direct loss, the costs for remediation, the costs of lost productivity, the cost of the data value that you’ve lost. You’ve read the newspaper articles. You know, if you’re a bank, the last thing you want to do is tell your customers that you just got hacked, right? So you can’t get the data, and then they’re burying data. And it’s natural – it’s understandable, because they’re trying to protect their business. But at a public policy level, you can’t get your head around this, because you don’t have accurate data, and you can’t build reliable economic models to really start to tell you what this is costing you so you can make a conscious decision.
Let’s look at the consequential damages, which are even harder to quantify. That’s stuff like loss of reputation. Ask Sony,that got hacked on PlayStation about a year and a half ago. Their stock value went down by a factor of two. That was billions of dollars, OK? Believe me, they understand the impact of consequential damages from a cyber attack. But again, these are anecdotal. We don’t have predictable models and ways for a discriminating enterprise, public or private, to be able to sit down and analyze this and make a rational decision on what I spend money on versus what I don’t spend money on. So what that means is, if I’m making an IT decision how do I determine my costs to deploy a network. I’ve got rooms full of IT cost studies and analyses, so I’ve got a great knowledge base to make a rational decision on an IT spend. But how do I compare that to a cybersecurity spend?
So in a discriminating enterprise, it is very difficult to make these tradeoffs. Consider the dynamic of walking into and trying to explain this to an enterprise when you’ve got the CIO sitting on one side of the table and the chief security officer sitting on the other side of the table with inadequate tools to talk to each other. The beauty of having economic models that both sides can understand is that it brings a common ground for them to make these kinds of tradeoffs, because the CIO’s going to say, you’re not putting anything on my network that’s going to slow it down or deny my users the ability to use it. And the chief security officer is going to say, you’re not going to do anything on that network that isn’t secure. And normally, the way you make those trades is being able to try and determine productivity versus security.
Cybersecurity guys and gals are absolutely at a disadvantage to be able to make the case as to why security is really in the long-term best interest of an enterprise, public or private. So I think, in terms of being able to attack the problem in terms of the public debate – I think, fundamentally, it’s getting the debate going on the topic of balancing the economic tradeoffs of protection versus freedom and privacy. These are big topics that we’re all debating right now thanks to scale of the challenge. Better analytical tools and knowledge as to the nature of the economics of the challenge will to be able to offer some additional helpful perspectives in this debate.
As you think through this, you’re going to hear a lot about mandates for security, penalties, assessing liabilities and all this kind of stuff. That all sounds great, but if I can’t quantify what those liabilities are, what are we really talking about? That’s again where the economic models come in. Flipside is since fundamentally prevention is better than remediation, you want to incentivize enterprises to deploy cyber solutions at the beginning, not the end.
Basically what we’re doing now is trying to bolt on retrofit security on already deployed networks. Deming, if some of you remember your production theory, the grandfather of quality assurance, said you cannot inspect quality in, you have to build it in. So, in many ways, the detection methods that we’re using, the signature antivirus stuff that’s out there, these are fundamentally detection mechanisms that are not working. Well, guess what? You’re trying to inspect quality into a network that’s already built.
So you want to try and find not just the penalties for those that are not compliant but the incentives for them to make more rational decisions right up front as they think through how to deploy these networks. There is also suggestion of the need for and a lot of discussion about standards. I’m sure when you go to these meetings, you know, you’ll hear we have got to have standards. Standards, in general, are good. TCP/IP is essentially a standard - case closed. But you got to be real careful, what standards for what purpose. Is it standards for what this widget looks like or is it standards in terms of the policies because if you make it for what these widgets look like, you’re closing out innovation. And I think most of us in this room know that most of the innovation comes from the nontraditional players and that many times standards and certification processes become tools for traditional players to keep innovators out. Though standards in general are a good thing, the devil’s in the details. You got to really think through what you’re trying to accomplish with the standard because if you make it too narrow, you cut out the innovators and you’re going to miss the boat. Flipside is, if you do nothing then it’s the Wild West out there.
And then lastly, think in terms of mechanisms that allow new approaches for the defense institutions – this is a defense forum - to test alternatives more quickly, less expensively. The young entrepreneur -- entrepreneur in this business means anything under about 1,000 employees (chuckles) -- represents a different kind of business. Often times, it really cannot go through the sustained process that the large contractors could do in order to get approval or even look at a system. Here, I’ll give you an example. We presented one solution to an armed service that took 16 months just to decide whether they wanted to review a pilot or not (and the pilot was free). Contrast our shortest gestation from introduction to deployment that we won, a credit union - we handle a lot of banks - of 45 days. So, you know, if you’re a business, why am I going to burn 16 months, lots of man and woman hours - person hours - just to try it in a government process?.
So here’s where the defense institution, in my judgment, is missing out – a perspective applicable not just to cybersecurity, but essentially with respect to the entire technology market place. Don’t buy it. Just try it and if you like it, then buy it. But we have just an incredibly difficult time even trying things in the defense community.
CIA stood up a program that was kind of a rapid pilot program and it’s working brilliantly for them. That’s really how they have been able to rapidly progress along with a few others with similar approaches. For most federal needs though, it ain’t happening because there are so many hoops just to get considered. We were greenlighted for a test with another defense service 14 months ago. We have yet to deploy because they can’t get all the paperwork straight on what we are going to put in the project and all the rest of that. It’s typical. So with that approach, we’re killing ourselves. You got a defense industry that’s moving at 55 miles an hour when the rest of the world is moving at Mach 2 and then we wonder why we’re not catching up.
So hopefully I’ve given you a few things to think about as you go through these debates and discussions with your constituents. You’re in a position to influence what issues are examined, if not some of the solutions that are considered. I would invite you turn the discussion sideways. Cybersecurity is orthogonal to IT. Turn the telescope around and look at this problem a little bit differently and you might find some very interesting results.
Thank you all. (Applause.)
MS. SCHOLTE: Now, John will take your questions.
Q: Thank you very much. I have just two quick questions. The first is that you put the focus on developing an economic model like a – like a security sign. How did you want to go about doing that? And the second is that in your model we have the cracks in the delivery system – (off mic) – and not too long ago there was a mission about a – (off mic) – coming out of different developed countries manufactured endless supply to those trusted factors that were either counterfeit or – (off mic) where they could not be trusted. So I don’t know where you would see that as a – (off mic).
MR. HIGGINBOTHAM: Let’s take the second question first. It’s part of the network because, again, if you buy in and adopt the perspective that it’s an untrustable network – period - you’re serving valuable missions with known exploits that you must address. I’m going to have hardware exploits, I’m going to have insider attacks, I’m going to have keyloggers, I’m going to have malware. I think it was McAfee’s most recent study that suggests every minute there’s 41 new malware signatures and the typical time that it takes to identify, on average, a malware signature, I think, is now 40 days. So you’ve got 41 new ones coming in every minute. That’s why AV is having issues and that’s why data inspection and threat detection are having issues. You can’t keep up with that.
If you take a true defensive perspective, it means protecting all seven layers of the old OSI date stack model. And part of that is that we must assume there’s hardware exploits. These are there, now what do I do? So you’ve got to figure out how to create these cross-layer roots of trust that can remain reliable even if the IT roots of trust are compromised.
First question, building a new industry model is not easy. I’ve done it a couple of times. We built a whole model for the space industry about 15 years ago and it’s still holding up. It takes really breaking down the summaries and go down into the raw data, as deep as you can, as broadly as you can, as many examples as you can get and then rebuild it as best you can with insightful and sophisticated capabilities including the trade-offs as part of the model. It can be done, it’s not rocket science. It’s actually more just brute force than anything else and, you know, that’s doable. You can borrow some examples from the insurance industry. You can borrow some examples from the IT industry. But then adapt them to the specific issues and rebuild the data around an insightful model. This could be a perfect thing for the Department of Commerce to do with several others. Most of the states could and would probably buy in on the challenge. So it would be a very easy thing to mount an effective and useful mission at the public level to build cybersecurity models that are really useful in this debate because they really aren’t out there right now.
Other questions? Yes, ma’am.
Q: Thank you so much for your insightful presentation on this topic and on what you just told us. My question is based on what you talked about with standards, where does the public and the privates concerns come into making these standards. Does the public sector standard or the private sector standard – I just want to know where the –
MR. HIGGINBOTHAM: The answer is “yes”. (Laughter.) The way standards come into being, at least in the United States, ends up being a joint effort that’s negotiated. Right? The public sector usually has one perspective, the private industry’s looking for a different perspective because they don’t want a standard to be written that locks out their solution. Right? So, you know, it’s an ugly, messy thing that over time, with expert inputs from independent technical groups on policy issues you can build standards. But it’s typically a messy, ugly thing.
My suggestion is, when that process really gets going, make sure there’s at least a component of it that is looking at this from a perspective that is different from the IT perspective. It’s looking at it from a security perspective and really getting it. I think you’ll be able to build standards that are useful, but at the same time, aren’t locking out innovation, and that’s a real delicate balance. It’s a tough one to figure out. Sometimes, it’s just trial and error. You do what you think’s the right thing and then monitor progress. Is this standard really delivering for me, the public institution, the kind of comfort level I’m looking for from the industry players. Does it have the kind of ability to interoperate or be interoperable with the rest of the world?
I could give you some specific examples: An unnamed agency did a lot in terms of trying to define certain standards in the layers of the OSI model. In order to test that, they were saying we’ve got to take our layer 2 protection - which is your comms protection – and give access from our layer 3 environment. We’re (Blue Ridge) isolation and containment in its purest form. That’s the last thing you want to do, because that creates a back door. As soon as you let somebody in through your routed network down into your communications channel, I’ve got a back door. Soon as we can do that, it breaks the security model. It’s what they wanted from an IT perspective, but it broke the security model.
So this is where how you set standards has to be a little more insightful, I think, than perhaps, we’ve seen in the past. Other questions.
Q: Hi, first, thank you for your time. My question is, seeing as you’ve had experience with the different kinds of threats that have happened from a broader perspective of that threat assessment, could you see any cybersecurity attack besides like denial of services or phishing escalating to the point where it could be considered an act of war against the United States?
MR. HIGGINBOTHAM: Absolutely, absolutely.
Q: And what would that be?
MR. HIGGINBOTHAM: I mean, you shut down the energy grid in this country, you got major problems. And you know, as civilized as we are, you take 300 million people and deny them electricity for about three weeks, it’s going to get ugly, believe me.
The derecho storm we went through is a good example. My mother and sister have a place in West Virginia - they were happy to be there when it hit. But they were without power for nine days. The first three or four days, it was fine. But by day five through nine – well, you start getting really scared. Believe me. So I mean, that’s absolutely a threat. By polluting water or shutting down the communications grid for an extended period of time, you’ve got major disruption. So the disruption of assets is clearly very serious. And we already know it’s possible to deploy malware that can do physical harm. That’s what others did, right?
So imagine, getting a blitzkrieg of malware that’s cranking pumps up to, you know, a red line, getting in your cars. I can tell you, the automobile industry’s scared stiff about this, because look at what’s happening to the automobile business. Ten years from now the automobile is going to be basically a rolling server that’s electric, electronic, and digital. Put a piece of malware in say 20 million U.S. cars going down the highway at 60 miles an hour and look at what happens. It’s just disaster.
So there are absolutely scenarios and unfortunately, real scenarios that leave no question that it would be an act of war.
Other questions, yes sir.
Q: Thanks again for speaking today and I have a similar sort of follow up question, I hear a lot about how the information revolution – (off mic) – individual. To what extent do these types of attacks, you know, big – (off mic) – attacks you’re talking about – to what extent are nonstate actors capable of making these? Or is there a huge starting cost associated with setting up – (off mic) – or is this the kind of thing you could see nonstate actors that are (probably ?) retaliating against this kind of thing?
MR. HIGGINBOTHAM: I think the exposure is real at the individual level. The individual attacker is somebody with a reasonably decent computer background – you don’t have to be a Ph.D. in computer science. Let’s think about this. You got kids that got a hold of their first computer at four or five years old that have been programming for 10 years by the time they’re 15 years old. Very smart. That’s the level of technical competence you need to start to build tools that can do some serious damage.
I maintain a little website just to kind of see what’s happening. I’d say a third of what’s coming over it is clearly attempts to steal money, get ID. God knows where they’re coming from. You know, we do have search capabilities as well, so we got a pretty good idea. We’ve tracked attacks from 117 countries. There aren’t too many more countries that this and the only reason why we didn’t track the others is because we don’t have the software agents deployed in the others. (Chuckles.) But I’m sure they’re hacking us. So at an individual level, the pranksters and criminals and hacksters, absolutely, are just growing by the day.
Q: You said Russia used cyberwarfare as initiation of a (ground war fight ?) possibly, (on the other hand ?), Estonia – (off mic) – and they seem – (off mic) – to the USA and NATO on – (off mic) –they just kind of sat there and said, oh. Are we – are we not catching up if we go back to that?
MR. HIGGINBOTHAM: You know, I’m not going to comment on the state of readiness of us and our allies with respect to cyberwar. I think those examples you cite from two to three years ago were the last one. And you know, we’re learning quickly, OK? So I would encourage you have some serious confidence in the defense community and the intelligence community to be ready. They might get snookered once (chuckles). But it only takes once and they catch up real quick, OK?
Q: One question I have (off mic) and Blue Ridge Networks has never been hacked and not many software or encryption or information assurance systems can say that, but they haven’t been hacked, whether it’s Symantec or McAfee or this or that or whatever. What approach did you all take that’s so different?
MR. HIGGINBOTHAM: I don’t want to turn this into a commercial, and we didn’t talk about this before, so I’m not going to let it turn into a commercial, but I’ll tell you this. Blue Ridge is actually 17 years old as a company, that started with intelligence agencies customers and built a cybersecurity architecture concurrent with the advent of TCP/IP. I bought into this company in August of 2010, and I didn’t get permission until recently to tell you that – what I just told you. And the reason is, it was so good, you couldn’t use it everywhere.
The reason we are now expanding our customers more broadly is that problems have gotten so broad and in so many places that it just made no sense to withhold the technology. So you have a situation where you have a company that nobody’s ever heard of and we’re small –we’re 30 people – that handled a small community of customers over many, many years, providing global cloud operations that have never been hacked so far. And the way we did that is – what Blue Ridge did - was to start from the concept that the network’s untrustable. So we needed a fundamental cybersecurity architecture, and over the years, it’s built up technologies – open-standard technologies, proprietary stuff they had to develop, licensed stuff from the NSA and others – and packaged and built a blending of these technologies across all seven layers of the IT stack for data in motion that absolutely works.
No one would ever say, including Blue Ridge, it has perfect security. But our contribution to cybersecurity does work. We secure remote access from extranets and users into a protected network. That’s what we do. We’re not trying to protect the network; we’re not trying to scan for malware. We’re not an antivirus company. We’re that new innovator, I think, and are legitimately that new layer of defense. You’ve heard the words “layered defense”, “defensive layers”, and “new layers of defense”. I actually think we are one. I think we’re a new layer of defense that, when you lay it on top of an IT network, you actually get security and it allows you to re-optimize your IT network to get better throughput. And we’ve seen this over and over again when we deploy. Most of our customers end up with somewhere between 10 to 30 percent higher throughput through their existing IT architecture because they can offload all the crap that isn’t working. Anyway, enough commercial. Any other questions?
Q: Thanks for your presentation. Just a quick question about your perception of the role of government –we all accept that and we do a reasonably good job protecting classified networks but talk a little bit about the unclassified side where, you know, we talk in industry about owners and operators – I mean, the private sector own 85, 90 percent and that sort of is the question of the hour – question de jure. What do you think the proper role of government is to incentivize this market or to stamp its way, – you know, that’s the thing that we’re all grappling with.
MR. HIGGINBOTHAM: Well, first on the list are the requirements. I mean, let’s face it; at the end of the day, what will get people’s attention the quickest is the procurement. If you’re procuring something that specifies more strongly security requirements that are insightful, vendors will respond. So I think, in terms of being able to define the policies and the programs and the program attributes that are then built into requirements, and do it in a way that puts more emphasis and more intelligence and insightfulness into this matter, the marketplace will respond. Because you’re the customer. That first and foremost, that will get the biggest, quickest change.
Secondly, I’ve suggested in the conclusion here a couple of other things that could be done in terms of the various policies that ultimately are promulgated for use of these networks. As regards the balance of secure operations versus freedom and protection of privacy and these kinds of things, you might relook at it from the standpoint of: how to bring protection and defense into the policies that are being implemented in addition to some of these other things that are currently in discussion. So I think by elevating a more insightful sense of what’s really required to do cybersecurity in the policy discussion you’re going to get better outcomes.
Then lastly, some peripheral things that government is perfect to do as the objective arbiter of data rights, models, and standards absolutely adds value and is critical to progress in addressing this challenging problem.
Suzanne how we doing? Any more questions?
SCHOLTE: How about one more.
Q: I know that you’re barred by security matters, but when do you think Iron Man IV might come out? (Laughter.)
MR. HIGGINBOTHAM: You know, my son, when he got on that project – it was a big deal for him. So his first day, the first weekend he went down - they shot mostly in North Carolina – we called him and I asked him to tell me what’s going on? He says, “Dad, stop.” He says, “You have no idea. You think you deal with security?” (Laughter.)
He said, “You have no idea what we had to sign, what we were briefed, the warnings we got.” He said, “I can’t tell you the actors,” he says, “I can tell you nothing.” He says, “You probably shouldn’t even know we’re going to be in North Carolina, except, it’s kind of hard to hide that.”
So I know nothing about Iron Man IV, and if I did, there’s no way in hell I’d tell you, because I’m protecting my son. Thank you.
MS. SCHOLTE: Thank you so much. That was a great presentation, and something really to think about, the fact that with all the budget problems we’re having right now to know that our economy is being stripped away by cybertheft and cyber attacks costing trillions of dollars -- 6 to 7 trillion dollars is something that both parties need to work together to address. Well, thank you all for coming. I – just a quick housekeeping thing. Anyone who didn’t RSVP that came – it’s great that you came, but if you want to be on our email list, we might not have your email. So go ahead and shoot us an email if you want to get added to get information on upcoming forums. And again, thank you so much for joining us today. Take care. (Applause.)